MaskIt - Data Masking Extension for VS Code
Protect sensitive data instantly - mask PII in CSV, JSON, and XML files with customizable rules before sharing or distributing.
Features
- Multiple File Formats: Support for CSV, JSON, and XML files
- Flexible Rules: Define masking rules based on column headers or XML/JSON tags
- Content Rules: Use regex patterns to mask values regardless of field names
- Enable/Disable Rules: Temporarily disable rules without deleting them
- Multiple Masking Types: Replace all, Show ends, Fingerprint, or Scramble
- Wildcard Rules: Use
* wildcards to match multiple field names at once
- Protected Fields: Protect specific fields from ever being masked (e.g. IDs, timestamps)
- Protected Content: Protect values matching regex patterns from ALL masking (e.g. dates, booleans, URLs)
- CDATA Support: Masks content inside XML
<![CDATA[...]]> sections while preserving the wrapper
- Preview Mode: Preview masked data before applying changes
- Auto-detect Delimiters: Automatically detects CSV delimiters
- Context Menu Support: Right-click access from both editor and file explorer
Installation
From VS Code Marketplace
- Open VS Code
- Go to Extensions (Ctrl+Shift+X)
- Search for "MaskIt"
- Click Install
Quick Start
- Open a data file (CSV, JSON, or XML)
- Run command:
MaskIt: Edit Masking Rules
- Select Add Rule... and choose the rule type you want to add
- Run command:
MaskIt: Mask Data in Current File
Commands
- MaskIt: Mask Data in Current File - Apply masking rules to the active file
- MaskIt: Mask Data and Save As... - Mask and save to a new file
- MaskIt: Edit Masking Rules - Add, edit, or remove masking rules
- MaskIt: Preview Masked Data - Preview without modifying the file
Rule Types
MaskIt supports five rule types, accessible via Add Rule... in the Edit Masking Rules menu:
| Rule Type |
What it does |
| Field Rule |
Masks a column/field by its exact name (e.g. email, phone_number) |
| Wildcard Rule |
Masks columns matching a name pattern (e.g. *email*, customer_*) |
| Content Rule |
Masks values matching a regex (e.g. any email address, regardless of field name) |
| Protected Field |
Never masks this field, regardless of other rules |
| Protected Content Rule |
Never masks values matching a regex pattern |
Masking Types
MaskIt supports four masking types, shown with their display names when adding rules:
Replace all (full)
Replaces every character in the value with the mask character (default *). Use this when you want to completely hide the value.
| Input |
Output |
John Smith |
********** |
john@email.com |
*************** |
123-45-6789 |
************ |
Show ends (partial)
Shows the first and/or last N characters and masks the middle. Use this when you want to confirm the type of value while hiding the sensitive portion.
You configure how many characters to show at the start and end — for example, start: 2, end: 2:
| Input |
Start |
End |
Output |
john@email.com |
2 |
2 |
jo***om |
4111111111111111 |
4 |
4 |
4111********1111 |
555-123-4567 |
3 |
0 |
555********* |
Fingerprint (hash)
Replaces the value with the first 8 characters of its SHA-256 hash. The output is always a fixed-length alphanumeric string. Use this when you need a consistent, repeatable masked value — the same input always produces the same hash.
| Input |
Output |
john@email.com |
d0b99614 |
123-45-6789 |
a3f8b2c1 |
John Smith |
ef0a3b22 |
Note: Hash output is not reversible but is deterministic — the same value always hashes to the same result.
Scramble (random)
Replaces each character with a random character of the same type while preserving the original case. Use this when you want realistic-looking fake data that maintains the original format.
- Uppercase letters → random uppercase letters
- Lowercase letters → random lowercase letters
- Digits → random digits
- Special characters (spaces, dashes,
@, ., etc.) are kept as-is
- Date/time values → a random but valid date/time in the same format
| Input |
Output (example) |
John Smith |
Kvmp Brtxz |
555-123-4567 |
382-947-1056 |
4111 1111 1111 1111 |
7823 4591 2038 6714 |
john@email.com |
xkqr@nzpht.fwb |
JOHN DOE |
MRQP KTZ |
2023-07-15 |
1998-03-22 |
2023-07-15T14:30:45Z |
2041-11-08T07:52:19Z |
07/15/2023 |
04/22/2051 |
14:30:45 |
09:17:33 |
Note: Each masking operation produces a different random output. Use Fingerprint instead if you need consistent results.
Ambiguous date formats like XX/XX/XXXX and XX-XX-XXXX can be interpreted as either MM/DD/YYYY (US) or DD/MM/YYYY (AU/UK/EU). Use the dataMasking.dateFormat setting to control the interpretation:
| Setting |
First position |
Second position |
MM/DD/YYYY |
Month |
Day |
DD/MM/YYYY (default) |
Day |
Month |
Unambiguous formats (YYYY-MM-DD, ISO 8601, time-only) are unaffected by this setting.
Protected Fields
Prevent specific fields from being masked, even if they match other rules:
- Case-insensitive:
id matches ID, Id, iD
- Substring matching:
id protects user_id, customer_id, record_id
- Normalized matching: Ignores underscores, spaces, and dashes
Common Use Cases
- Protect identifier fields:
id, uuid, key
- Protect timestamps:
timestamp, created, updated
- Protect system fields:
version, status, type
To add a Protected Field, run MaskIt: Edit Masking Rules → Add Rule... → Protected Field.
Protected Content Rules
Prevent specific values from being masked based on their content, regardless of which field they belong to. If a value matches an exclusion regex, it is never masked — even if a field name rule, wildcard rule, or content rule would otherwise apply.
This is the opposite of Content Rules: Content Rules mask matching values, while Protected Content Rules protect matching values.
How It Works
- Protected Content Rules are checked before all masking rules
- If the value matches any enabled exclusion regex, it is skipped entirely
- Matching is case-insensitive by default; enable case-sensitive matching per rule when adding or editing
- Works across all file types (CSV, JSON, XML), including XML CDATA content
Preset Protected Content Rules
MaskIt ships with built-in exclusion patterns. They are added as disabled by default.
| Preset Name |
Regex |
Matches |
| Date Values |
^\d{4}[-/]\d{2}[-/]\d{2} |
2023-07-15, 2023/07/15 |
| Boolean Values |
^(true\|false\|yes\|no)$ |
true, FALSE, Yes |
| URL Values |
^https?:// |
https://example.com |
How to Use
- Run
MaskIt: Edit Masking Rules
- Select Add Rule... → Protected Content Rule to create a custom pattern, or Add preset Protected Content Rule... to pick from presets
- Presets are saved as disabled — select Enable / Disable Rule... to activate them
Content Rules
Mask values based on their content using regular expressions, regardless of field names. This is useful for masking data where the field names are inconsistent or unknown.
Example Patterns
| Pattern Name |
Regex |
Matches |
| Email |
[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,} |
user@example.com |
| SSN |
\d{3}-\d{2}-\d{4} |
123-45-6789 |
| Credit Card |
\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4} |
4111-1111-1111-1111 |
| Phone |
\d{3}[-.)\s]?\d{3}[-.\s]?\d{4} |
555-123-4567 |
How It Works
- Content Rules are checked after field-based rules
- If no Field Rule or Wildcard Rule matches, Content Rules are applied
- Any value matching the regex will be masked according to the rule's settings
- Matching is case-insensitive by default; enable case-sensitive matching per rule when adding or editing
- Works across all file types (CSV, JSON, XML), including XML CDATA content
To add a Content Rule, run MaskIt: Edit Masking Rules → Add Rule... → Content Rule.
XML CDATA Support
MaskIt fully supports masking content inside XML <![CDATA[...]]> sections. The CDATA wrapper is preserved in the output — only the content inside is replaced.
<!-- Before -->
<Name><![CDATA[John Smith]]></Name>
<Email><![CDATA[john@example.com]]></Email>
<!-- After (Field Rule on Name, Content Rule for email) -->
<Name><![CDATA[**********]]></Name>
<Email><![CDATA[****************]]></Email>
All rule types work with CDATA content: Field Rules, Wildcard Rules, and Content Rules. Protected Fields and Protected Content Rules also apply — a protected field will not have its CDATA content masked.
Preset Content Rules
MaskIt ships with built-in regex patterns for common PII types. They are added as disabled by default so they have no effect until you activate them.
| Preset Name |
Matches |
| Email Address |
user@example.com |
| Credit Card Number |
4111 1111 1111 1111, 4111-1111-1111-1111 |
How to Use
- Run
MaskIt: Edit Masking Rules
- Select Add Rule... → Add preset Content Rule...
- Choose one or more presets — they are saved as disabled
- Select Enable / Disable Rule... to activate them when ready
Enable/Disable Rules
Temporarily disable rules without deleting them. This is useful for testing different masking configurations or keeping rules for future use.
Features
- Toggle Multiple Rules: Select and toggle multiple rules at once
- Visual Indicators: See which rules are enabled (✅) or disabled (🔴)
- All Rule Types: Works with Field Rules, Wildcard Rules, Content Rules, and Protected Content Rules
- Persistent: Disabled rules are saved in your configuration
How to Use
- Run
MaskIt: Edit Masking Rules
- Select Enable / Disable Rule...
- Select one or more rules to toggle
- Rules show current status:
ENABLED or DISABLED
When a rule is disabled:
- It won't be applied during masking
- It remains in your configuration for later use
- You can re-enable it anytime
To view the status of all rules, run MaskIt: Edit Masking Rules and select View All Rules.
License
MIT
